Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp938257lqt; Fri, 19 Apr 2024 15:42:38 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXsA3KwQ0dNLi04KgJzfxA3ypzmAzrJF2KkuF7SDcXa7qIcXtusx1E79FHJXW1d+2pOvGTU0Ob2iQjeXMFH1v7tpErkolbiDnT7Di3vKQ== X-Google-Smtp-Source: AGHT+IGxPlD+DK+6dL4aOls9qPJYPUbQ2924u+Cqdt/OpDR9gupujWAixUNvXFW6zm/8aEPUjI3R X-Received: by 2002:a17:907:7711:b0:a52:54be:de25 with SMTP id kw17-20020a170907771100b00a5254bede25mr3223550ejc.28.1713566558038; Fri, 19 Apr 2024 15:42:38 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713566558; cv=pass; d=google.com; s=arc-20160816; b=HnWJtp+7yM1FNCho8kN+Txt+/kVn16goz3HI0NHpG8xblmD+8KjJV0GgUy/gjiNXbQ gZT1MhRaeefRUrKrCtJyypj0vPuQrdVMe7cMRsncFavs9UuEolecZSUKU+sjU5PFDxWp GkUnwnruxSBbKRG7zaMZVC7geyRZWSJcVSqeA/K/lzH3JrOrN0L3XeQih4pHrgKpSp8U 349gTKCnoa41sBRMu0aVgyjh/06S1KoMOrM8fvOZ4o370Oz2/ADFFtisBtyHqPOAcjfK Ty5iwNOGqrzqVOsN7EgiR3rUC/Q7XzxXMT1qjwzsKjtaPFFtfzYWgoSbfsDsZnCwA4pe iNhQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :in-reply-to:date:dkim-signature; bh=iy+MJbkT751OdEUQWG0XxX91zD+CE48zRuMpRKz7zBA=; fh=mF9+0Doueqi+ZL53Xk1cQ2Kkuoy5tN9AIiIXWCpQT0c=; b=v/uiefz51BXLngRpextvvqMGoZesKyRY0SSvwMM4X/HBv+UNJCiPAhl700mCZv2Sh5 PQxGKxpW8Ea+amZ0HgK8+8cXcfNF3RaV9pzvMHgfIyOV3yuElon1CEfWo5ctS7SsbYuy mwSyX3HRvC+rEdHF1Jsb/6Rj59tG25TTD58ORkP8u3Fr1ZwxBm2wpXKWQ7wwWmrFf/H5 VnmoEp8/MNiGgk5Is4oe4egeOIAO8p1erDsh6vOExKlxrKAs+dvFxSHK7kGewJOuom0I +LbeztOnvAubsk1s86SWzTPsHex2olEuUbzrEcpu6PdHDkdExPsdr74rxOE1lWN/m7j4 gsYA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=WLTX7PNr; arc=pass (i=1 spf=pass spfdomain=flex--sdf.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-152013-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-152013-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id bw17-20020a170906c1d100b00a474e6a5726si2564380ejb.574.2024.04.19.15.42.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Apr 2024 15:42:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-152013-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=WLTX7PNr; arc=pass (i=1 spf=pass spfdomain=flex--sdf.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-152013-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-152013-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 9863D1F21642 for ; Fri, 19 Apr 2024 22:42:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 66C8713D60E; Fri, 19 Apr 2024 22:42:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="WLTX7PNr" Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com [209.85.210.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 25EC32BAE0 for ; Fri, 19 Apr 2024 22:42:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713566550; cv=none; b=HHRiWVZZmSg12h1vDPKm4tTRYvdrUCEUnXgohwKb4lwkq1VQLdV35D6JcXPTdjncZml99cv4xY55yUcj0nfWBuv3580jHcZU/tTNgb2Lxb+rGcOw3RfEnU6xdHAKETCe1ZdpOB5l5yKrCFUffyPT1MH9GwZ/2mmlxIfWCclfkzk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713566550; c=relaxed/simple; bh=MfpVQcZKZfxcqXnDZkBgrvdLNjb2kvU8wneTGgoLZgA=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=A21eKLDKYqOTq89XMfcuCxgIVRNXkWSpLTx5ZBvnsLab1clHKdOFSCPMUiJtP+ih+nlUAPhoCe/Sdova+kAg7TDD7JwBO5g1v0q2DvzZz0Vcj8Det9Egvy0lmCqn9TJmQ/yUcVqEi6DtG19FDwEn6cdJx98ZuHSleMLZIKed5K4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--sdf.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=WLTX7PNr; arc=none smtp.client-ip=209.85.210.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--sdf.bounces.google.com Received: by mail-pf1-f201.google.com with SMTP id d2e1a72fcca58-6ece5eeb7c0so2702913b3a.2 for ; Fri, 19 Apr 2024 15:42:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713566548; x=1714171348; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=iy+MJbkT751OdEUQWG0XxX91zD+CE48zRuMpRKz7zBA=; b=WLTX7PNrDnlk7UpZ34IygZXakQ7i0wB6OoFRSWM3zhc60ABzrJL5XyuK1X6X2yGLMm 3h20ZbPbtn8ggbalzcZc9RiZnDPUgu0kDpSSqoVhC5nVPIyawnW/AsZMYREkDvT2vdMN eNgYqf6jp+ATjEHJFBzRvM+rzgLF2IlFJ5s7JdRpzHZsT02nNwEWzFl63tNbXlyzq97M Lekmg/dZM+BbMZEvXKxCU3aLgKLJoSt3o8lrE9twGjI7de/zOBGOF43sUYcz8Q6fZhbv RB8P/nessnxaqNO3yI5REEYlUksE1vH3+DoevE2v2jkBTch8frahFQth65LKm/YKLN97 d01A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713566548; x=1714171348; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=iy+MJbkT751OdEUQWG0XxX91zD+CE48zRuMpRKz7zBA=; b=v6B/QSVI2ovl/1qelY5YBBYzm/oP2f7PMrsm09SbKUh0nh5CORqkgPvTMxrfvu0XWs UQzbdsHVAQ8WR1sCv2WFTTSdVsaeoyb3TWn0R5zpUUXkfQpE9Cikqf9Q8o5f0P2GtitI nIaWsAWzwdgc5Xub286GC2fQNOIaVddfkuD/qysThmtbUh+AEjlZ6AQwmYzTDpjYYkjU g0ym7f4sTMo30ds3ZNZieSPC56p3lP8iitZqJ8TvVMiX8btpp62cbbg54UDi5YLEH9JU ke7f5tIMO0ZrObsc/lA9bL2iFq3v5Yg6TKyTfEYnYeV+4HEfSuLx9pdAudTAagWNxlp5 ZOgQ== X-Forwarded-Encrypted: i=1; AJvYcCVEmeEbMuIRisfLFJ/7hw81oY8W/o1FDruXBXTks2iBxL6BI60LVVVvClNLEbZM1cupTUzPlyH8Tq9fX0c+QeC0KmjxS5flZUgPsJdf X-Gm-Message-State: AOJu0Yz6SzvNjggToTASrSfowTHknMDRBAXa8Hl+h5FcEvq10rnSlkRD p2Q1khPqA9+dvVXx1+3s7F0rwk6FqvAe9Hwiq25I38HGxAotnBOX7VjqpiUG7PQJ3g== X-Received: from sdf.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5935]) (user=sdf job=sendgmr) by 2002:a05:6a00:3a0c:b0:6ea:be7b:2eda with SMTP id fj12-20020a056a003a0c00b006eabe7b2edamr343604pfb.6.1713566548418; Fri, 19 Apr 2024 15:42:28 -0700 (PDT) Date: Fri, 19 Apr 2024 15:42:26 -0700 In-Reply-To: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <0000000000004792a90615a1dde0@google.com> Message-ID: Subject: Re: [syzbot] [bpf?] BUG: unable to handle kernel paging request in bpf_prog_ADDR (2) From: Stanislav Fomichev To: Alexei Starovoitov Cc: syzbot , "=?utf-8?B?QmrDtnJuIFTDtnBlbA==?=" , Andrii Nakryiko , Alexei Starovoitov , bpf , Daniel Borkmann , Eddy Z , Hao Luo , John Fastabend , Jiri Olsa , KP Singh , LKML , Martin KaFai Lau , Song Liu , syzkaller-bugs , Yonghong Song Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 04/19, Alexei Starovoitov wrote: > On Mon, Apr 8, 2024 at 8:53=E2=80=AFPM syzbot > wrote: > > > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.ker= nel.. > > git tree: upstream > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=3D12596223180= 000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=3D4d90a36f0ca= b495a > > dashboard link: https://syzkaller.appspot.com/bug?extid=3D838346b979830= 606c854 > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for D= ebian) 2.40 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=3D134ecbb51= 80000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=3D141a8b3d180= 000 > > > > Downloadable assets: > > disk image: https://storage.googleapis.com/syzbot-assets/f6c04726a2ae/d= isk-fe46a7dd.raw.xz > > vmlinux: https://storage.googleapis.com/syzbot-assets/09c26ce901ea/vmli= nux-fe46a7dd.xz > > kernel image: https://storage.googleapis.com/syzbot-assets/134acf7f5322= /bzImage-fe46a7dd.xz > > > > IMPORTANT: if you fix the issue, please add the following tag to the co= mmit: > > Reported-by: syzbot+838346b979830606c854@syzkaller.appspotmail.com > > > > BUG: unable to handle page fault for address: 0000001000000112 > > #PF: supervisor read access in kernel mode > > #PF: error_code(0x0000) - not-present page > > PGD 800000002e7b1067 P4D 800000002e7b1067 PUD 0 > > Oops: 0000 [#1] PREEMPT SMP KASAN PTI > > CPU: 0 PID: 5060 Comm: syz-executor351 Not tainted 6.8.0-syzkaller-0895= 1-gfe46a7dd189e #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS= Google 03/27/2024 > > RIP: 0010:bpf_prog_a8e24a805b35c61b+0x19/0x1e > > Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc f3 0f 1e fa 0f= 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 31 c0 48 8b 7f 18 <8b> 7f 00 c9 = c3 cc cc cc cc cc cc 40 03 00 00 cc cc cc cc cc cc cc > > RSP: 0018:ffffc90003b07b30 EFLAGS: 00010246 > > RAX: 0000000000000000 RBX: ffffc90000ace048 RCX: ffff88802aa89e00 > > RDX: 0000000000000000 RSI: ffffc90000ace048 RDI: 0000001000000112 > > RBP: ffffc90003b07b30 R08: ffffffff81bf633c R09: 1ffffffff2595ca0 > > R10: dffffc0000000000 R11: ffffffffa000095c R12: ffffc90000ace030 > > R13: ffff88802ac3ae28 R14: dffffc0000000000 R15: ffff88802ac3ae28 > > FS: 000055558f759380(0000) GS:ffff8880b9400000(0000) knlGS:00000000000= 00000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 0000001000000112 CR3: 0000000077cfa000 CR4: 00000000003506f0 > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > Call Trace: > > > > bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] > > __bpf_prog_run include/linux/filter.h:657 [inline] > > bpf_prog_run include/linux/filter.h:664 [inline] > > bpf_prog_run_array_cg kernel/bpf/cgroup.c:51 [inline] > > __cgroup_bpf_run_filter_setsockopt+0x6fa/0x1040 kernel/bpf/cgroup.c:18= 30 > > do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293 > > __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 > > __do_sys_setsockopt net/socket.c:2343 [inline] > > __se_sys_setsockopt net/socket.c:2340 [inline] > > __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 > > do_syscall_64+0xfb/0x240 > > entry_SYSCALL_64_after_hwframe+0x6d/0x75 >=20 > This one looks interesting. > But I cannot reproduce it. >=20 > Bjorn or Stan, >=20 > Could you take a look? >=20 > Probably a race in xdp dispatcher setup or the way cgroup-lsm > logic is doing it. Managed to repro it by hacking the C reproducer to attach bpf prog to /sys/fs/cgroup instead of syzkallers custom path. Will try to poke it a bit more..